KAZ
/
kaz
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

boulot ldap

develop-etcd
Fanch 1 year ago
parent
5e494b13fa
commit
ccb48de7b9
8 changed files with 133 additions and 19 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      bin/ldap/migrate_to_ldap.sh
  2. 4
      dockers/ldap/acl.ldif.tmpl
  3. 29
      dockers/ldap/bootstrap.ldif.tmpl
  4. 9
      dockers/ldap/first.sh
  5. 25
      dockers/ldap/nextcloud.ldif
  6. 59
      dockers/ldap/nextcloud.schema
  7. 15
      secret.tmpl/SetAllPass.sh
  8. 7
      secret.tmpl/env-ldapServ

4
bin/ldap/migrate_to_ldap.sh
View File

@ -21,6 +21,7 @@ do
changeType: add\n\
objectclass: inetOrgPerson\n\
objectClass: PostfixBookMailAccount\n\
objectClass: nextCloudAccount\n\
sn: ${mail}\n\
mail: ${mail}\n\
\n\n\
@ -50,6 +51,9 @@ mailStorageDirectory: maildir:/var/mail/${domain}/${user}/\n\
replace: mailUidNumber\n\
mailUidNumber: 5000\n\
-\n\
replace: cloudQuota\n\
cloudQuota: 10 GB\n\
-\n\
replace: userPassword\n\
userPassword: $pass\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
done

4
dockers/ldap/acl.ldif.tmpl
View File

@ -1,6 +1,6 @@
dn: olcDatabase={2}mdb,cn=config
changeType: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=adminpwd,ou=system,$LDAPROOT" write by dn="$BINDDN" write by * none
olcAccess: {1}to dn.subtree="$LDAPROOT" by self read by dn="cn=adminro,ou=system,$LDAPROOT" read by dn="cn=adminpwd,ou=system,$LDAPROOT" read by dn="$BINDDN" write by * none
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapui,ou=applications,$LDAPROOT" write by dn="$BINDDN" write by * none
olcAccess: {1}to dn.subtree="$LDAPROOT" by self read by dn="cn=ldapui,ou=applications,$LDAPROOT" read by dn="cn=postfix,ou=applications,$LDAPROOT" read by dn="cn=mattermost,ou=applications,$LDAPROOT" read by dn="cn=cloud,ou=applications,$LDAPROOT" read by dn="cn=mobilizon,ou=applications,$LDAPROOT" read by dn="$BINDDN" write by * none
olcAccess: {2}to * by dn="$BINDDN" write by * none

29
dockers/ldap/bootstrap.ldif.tmpl
View File

@ -12,16 +12,31 @@ dn: ou=users,$LDAPROOT
objectClass: organizationalUnit
ou: users
dn: ou=system,$LDAPROOT
dn: ou=applications,$LDAPROOT
objectClass: organizationalUnit
ou: system
dn: cn=adminro,ou=system,$LDAPROOT
dn: cn=postfix,ou=applications,$LDAPROOT
objectClass: person
sn: adminro
userPassword: $ADMINROPASSWORD
sn: postfix
userPassword: $POSTFIX_PASSWORD
dn: cn=adminpwd,ou=system,$LDAPROOT
dn: cn=ldapui,ou=applications,$LDAPROOT
objectClass: person
sn: adminpwd
userPassword: $ADMINPWDPASSWORD
sn: ldapui
userPassword: $LDAPUI_PASSWORD
dn: cn=mattermost,ou=applications,$LDAPROOT
objectClass: person
sn: mattermost
userPassword: $MATTERMOST_PASSWORD
dn: cn=cloud,ou=applications,$LDAPROOT
objectClass: person
sn: cloud
userPassword: $CLOUD_PASSWORD
dn: cn=mobilizon,ou=applications,$LDAPROOT
objectClass: person
sn: mobilizon
userPassword: $MOBILIZON_PASSWORD

9
dockers/ldap/first.sh
View File

@ -30,11 +30,16 @@ sed -i -e "s/\$LDAPROOT/${ldap_root}/g" acl.ldif
cp bootstrap.ldif.tmpl bootstrap.ldif
sed -i -e "s/\$LDAPROOT/${ldap_root}/g" bootstrap.ldif
sed -i -e "s/\$DC/${DC}/g" bootstrap.ldif
sed -i -e "s%\$ADMINROPASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_ADMINRO_PASSWORD}`%g" bootstrap.ldif
sed -i -e "s%\$ADMINPWDPASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_ADMINPWD_PASSWORD}`%g" bootstrap.ldif
sed -i -e "s%\$POSTFIX_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_POSTFIX_PASSWORD}`%g" bootstrap.ldif
sed -i -e "s%\$LDAPUI_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_LDAPUI_PASSWORD}`%g" bootstrap.ldif
sed -i -e "s%\$MATTERMOST_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_MATTERMOST_PASSWORD}`%g" bootstrap.ldif
sed -i -e "s%\$CLOUD_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_CLOUD_PASSWORD}`%g" bootstrap.ldif
sed -i -e "s%\$MOBILIZON_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_MOBILIZON_PASSWORD}`%g" bootstrap.ldif
ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f acl.ldif
ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f postfixbook.ldif
ldapmodify -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f nextcloud.ldif
ldapadd -H ldap://$LDAP_IP -D "${BINDDN}" -w ${LDAP_ADMIN_PASSWORD} -f bootstrap.ldif
CONFIG_IHM="${DOCK_VOL}/ldap_configSSP/_data/config.inc.php"

25
dockers/ldap/nextcloud.ldif
View File

@ -0,0 +1,25 @@
#
# SCHEMA 'ownCloud' for 389DS (cn=schema)
#
# From http://doc.owncloud.org/server/6.0/admin_manual/configuration/auth_ldap.html
#
# Quota Field:
# ownCloud can read an LDAP attribute and set the user quota according to its value.
# Specify the attribute here, otherwise keep it empty. The attribute shall return
# human readable values, e.g. "2 GB".
#
# INSTALLATION:
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f owncloud.ldif
#
# SOURCE:
# https://github.com/valerytschopp/owncloud-ldap-schema
#
# WARNING: the spaces ' ' in the definitions are very important!!!
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'cloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'nextCloudAccount' DESC 'nextCloud LDAP Schema' AUXILIARY MAY ( cloudQuota ) )

59
dockers/ldap/nextcloud.schema
View File

@ -0,0 +1,59 @@
#--------------------------------------------------------------------------
# Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de>
#
# Author: Arthur Schiwon <blizzz@arthur-schiwon.de>
#--------------------------------------------------------------------------
# GNU AGPL version 3 or any later version
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#--------------------------------------------------------------------------
# 1.3.6.1.4.1.49213 Nextcloud OID
# 1.3.6.1.4.1.49213.1 Nextcloud LDAP Elements
# 1.3.6.1.4.1.49213.1.1 AttributeTypes
# 1.3.6.1.4.1.49213.1.2 ObjectClasses
#--------------------------------------------------------------------------
# Attribute Types
#-----------------
attributetype ( 1.3.6.1.4.1.49213.1.1.1 NAME 'nextcloudEnabled'
DESC 'whether user or group should be available in Nextcloud'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.49213.1.1.2 NAME 'nextcloudQuota'
DESC 'defines how much disk space is available for the user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
# Object Classes
#---------------
objectclass ( 1.3.6.1.4.1.49213.1.2.1 NAME 'nextcloudUser'
DESC 'A Nextcloud user'
SUP top AUXILIARY
MUST ( cn )
MAY ( nextcloudEnabled $ nextcloudQuota )
)
objectclass ( 1.3.6.1.4.1.49213.1.2.2 NAME 'nextcloudGroup'
DESC 'A Nextcloud group'
SUP top AUXILIARY
MUST ( cn )
MAY ( nextcloudEnabled )
)

15
secret.tmpl/SetAllPass.sh
View File

@ -52,15 +52,18 @@ ldap_LDAP_ADMIN_USERNAME="--clean_val--"
ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
ldap_LDAP_CONFIG_ADMIN_USERNAME="--clean_val--"
ldap_LDAP_CONFIG_ADMIN_PASSWORD="--clean_val--"
ldap_LDAP_ADMINRO_PASSWORD="--clean_val--"
ldap_LDAP_ADMINPWD_PASSWORD="--clean_val--"
ldap_LDAP_POSTFIX_PASSWORD="--clean_val--"
ldap_LDAP_LDAPUI_PASSWORD="--clean_val--"
ldap_LDAP_MATTERMOST_PASSWORD="--clean_val--"
ldap_LDAP_CLOUD_PASSWORD="--clean_val--"
ldap_LDAP_MOBILIZON_PASSWORD="--clean_val--"
ldap_LDAPUI_URI=ldap://ldap
ldap_LDAPUI_BASE_DN=${ldap_root}
ldap_LDAPUI_REQUIRE_STARTTLS=FALSE
ldap_LDAPUI_ADMINS_GROUP=admins
ldap_LDAPUI_ADMIN_BIND_DN=cn=adminpwd,ou=system,${ldap_root}
ldap_LDAPUI_ADMIN_BIND_PWD=${ldap_LDAP_NOBODY_PASSWORD}
ldap_LDAPUI_ADMIN_BIND_DN=cn=ldapui,ou=applications,${ldap_root}
ldap_LDAPUI_ADMIN_BIND_PWD=${ldap_LDAP_LDAPUI_PASSWORD}
ldap_LDAPUI_IGNORE_CERT_ERRORS=TRUE
###################
@ -144,8 +147,8 @@ roundcube_ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE="1G"
####################
# postfix LDAP
mail_LDAP_BIND_DN=cn=adminro,ou=system,${ldap_root}
mail_LDAP_BIND_PW=${ldap_LDAP_ADMINRO_PASSWORD}
mail_LDAP_BIND_DN=cn=postfix,ou=applications,${ldap_root}
mail_LDAP_BIND_PW=${ldap_LDAP_POSTFIX_PASSWORD}
####################
# sympa

7
secret.tmpl/env-ldapServ
View File

@ -2,5 +2,8 @@ LDAP_ADMIN_USERNAME=
LDAP_ADMIN_PASSWORD=
LDAP_CONFIG_ADMIN_USERNAME=
LDAP_CONFIG_ADMIN_PASSWORD=
LDAP_ADMINRO_PASSWORD=
LDAP_ADMINPWD_PASSWORD=
LDAP_POSTFIX_PASSWORD=
LDAP_LDAPUI_PASSWORD=
LDAP_MATTERMOST_PASSWORD=
LDAP_CLOUD_PASSWORD=
LDAP_MOBILIZON_PASSWORD=

Write Preview
Loading…
Cancel
Save